VERSION 0.6

ARG DOCKERHUB_USER_SECRET=+secrets/DOCKERHUB_USER
ARG DOCKERHUB_TOKEN_SECRET=+secrets/DOCKERHUB_TOKEN
ARG DOCKERHUB_MIRROR
ARG DOCKERHUB_MIRROR_INSECURE=false
ARG DOCKERHUB_AUTH=true

test-rsa-only:
    FROM ./setup+server \
        --DOCKERHUB_AUTH=$DOCKERHUB_AUTH \
        --DOCKERHUB_USER_SECRET=$DOCKERHUB_USER_SECRET \
        --DOCKERHUB_TOKEN_SECRET=$DOCKERHUB_TOKEN_SECRET \
        --DOCKERHUB_MIRROR=$DOCKERHUB_MIRROR \
        --DOCKERHUB_MIRROR_INSECURE=$DOCKERHUB_MIRROR_INSECURE \
        --SSHD_RSA=true \
        --SSHD_ED25519=false \
        --USER_RSA=true \
        --USER_ED25519=false
    RUN echo "#!/bin/sh
set -ex

# first ensure these two /etc/hosts entries are working
ping -c 1 git.example.com
ping -c 1 buildkitsandbox

# load in preauthorized key
eval \$(ssh-agent)
ssh-add /root/self-hosted-rsa-key
ssh-add -l

# next validate ssh is working
ssh git@git.example.com | grep \"Hi git! You've successfully authenticated, but you get no shellz\"

# finally perform earthly tests
earthly --config \$earthly_config --verbose -D +test
earthly --config \$earthly_config --verbose -D git.example.com/testuser/repo:main+hello
" >/tmp/test-earthly-script && chmod +x /tmp/test-earthly-script
    DO +RUN_EARTHLY_ARGS --pre_command=start-sshd --earthfile=git-clone-private-ssh.earth --exec_cmd=/tmp/test-earthly-script

test-ed25519-only:
    FROM ./setup+server \
        --DOCKERHUB_AUTH=$DOCKERHUB_AUTH \
        --DOCKERHUB_USER_SECRET=$DOCKERHUB_USER_SECRET \
        --DOCKERHUB_TOKEN_SECRET=$DOCKERHUB_TOKEN_SECRET \
        --DOCKERHUB_MIRROR=$DOCKERHUB_MIRROR \
        --DOCKERHUB_MIRROR_INSECURE=$DOCKERHUB_MIRROR_INSECURE \
        --SSHD_RSA=false \
        --SSHD_ED25519=true \
        --USER_RSA=false \
        --USER_ED25519=true
    RUN --no-cache echo "#!/bin/sh
set -ex

# first ensure these two /etc/hosts entries are working
ping -c 1 git.example.com
ping -c 1 buildkitsandbox

# load in preauthorized key
eval \$(ssh-agent)
ssh-add /root/self-hosted-ed25519-key
ssh-add -l

# next validate ssh is working
ssh git@git.example.com | grep \"Hi git! You've successfully authenticated, but you get no shellz\"

# finally perform earthly tests
earthly --config \$earthly_config --verbose -D +test
earthly --config \$earthly_config --verbose -D git.example.com/testuser/repo:main+hello
" >/tmp/test-earthly-script && chmod +x /tmp/test-earthly-script
    DO +RUN_EARTHLY_ARGS --pre_command=start-sshd --earthfile=git-clone-private-ssh.earth --exec_cmd=/tmp/test-earthly-script

test-server-both-user-rsa-only:
    FROM ./setup+server \
        --DOCKERHUB_AUTH=$DOCKERHUB_AUTH \
        --DOCKERHUB_USER_SECRET=$DOCKERHUB_USER_SECRET \
        --DOCKERHUB_TOKEN_SECRET=$DOCKERHUB_TOKEN_SECRET \
        --DOCKERHUB_MIRROR=$DOCKERHUB_MIRROR \
        --DOCKERHUB_MIRROR_INSECURE=$DOCKERHUB_MIRROR_INSECURE \
        --SSHD_RSA=true \
        --SSHD_ED25519=true \
        --USER_RSA=true \
        --USER_ED25519=false
    RUN --no-cache echo "#!/bin/sh
set -ex

# first ensure these two /etc/hosts entries are working
ping -c 1 git.example.com
ping -c 1 buildkitsandbox

# load in preauthorized key
eval \$(ssh-agent)
ssh-add /root/self-hosted-rsa-key
ssh-add -l

# next validate ssh is working
ssh git@git.example.com | grep \"Hi git! You've successfully authenticated, but you get no shellz\"

# finally perform earthly tests
earthly --config \$earthly_config --verbose -D +test
earthly --config \$earthly_config --verbose -D git.example.com/testuser/repo:main+hello
" >/tmp/test-earthly-script && chmod +x /tmp/test-earthly-script
    DO +RUN_EARTHLY_ARGS --pre_command=start-sshd --earthfile=git-clone-private-ssh.earth --exec_cmd=/tmp/test-earthly-script

test-server-both-with-missing-keyscan:
    FROM ./setup+server \
        --DOCKERHUB_AUTH=$DOCKERHUB_AUTH \
        --DOCKERHUB_USER_SECRET=$DOCKERHUB_USER_SECRET \
        --DOCKERHUB_TOKEN_SECRET=$DOCKERHUB_TOKEN_SECRET \
        --DOCKERHUB_MIRROR=$DOCKERHUB_MIRROR \
        --DOCKERHUB_MIRROR_INSECURE=$DOCKERHUB_MIRROR_INSECURE \
        --SSHD_RSA=true \
        --SSHD_ED25519=true \
        --USER_RSA=true \
        --USER_ED25519=false
    RUN --no-cache echo "#!/bin/sh
set -ex

# first ensure these two /etc/hosts entries are working
ping -c 1 git.example.com
ping -c 1 buildkitsandbox

# load in preauthorized key
eval \$(ssh-agent)
ssh-add /root/self-hosted-rsa-key
ssh-add -l

# Clear out known_hosts
> ~/.ssh/known_hosts

if earthly --config \$earthly_config --verbose -D +test > output.txt 2>&1; then
    cat output.txt
    echo \"expected earthly failure, but got clean exit code instead\" && exit 1
fi
cat output.txt | grep 'no known_hosts entries found for git.example.com; falling back to https'

if earthly --config \$earthly_config --verbose -D git.example.com/testuser/repo:main+hello > output.txt 2>&1; then
    cat output.txt
    echo \"expected earthly failure, but got clean exit code instead\" && exit 1
fi
cat output.txt | grep 'no known_hosts entries found for git.example.com; falling back to https'
" >/tmp/test-earthly-script && chmod +x /tmp/test-earthly-script
    DO +RUN_EARTHLY_ARGS --pre_command=start-sshd --earthfile=git-clone-private-ssh.earth --exec_cmd=/tmp/test-earthly-script

test-server-both-with-only-rsa-keyscan:
    FROM ./setup+server \
        --DOCKERHUB_AUTH=$DOCKERHUB_AUTH \
        --DOCKERHUB_USER_SECRET=$DOCKERHUB_USER_SECRET \
        --DOCKERHUB_TOKEN_SECRET=$DOCKERHUB_TOKEN_SECRET \
        --DOCKERHUB_MIRROR=$DOCKERHUB_MIRROR \
        --DOCKERHUB_MIRROR_INSECURE=$DOCKERHUB_MIRROR_INSECURE \
        --SSHD_RSA=true \
        --SSHD_ED25519=true \
        --USER_RSA=true \
        --USER_ED25519=false
    RUN --no-cache echo "#!/bin/sh
set -ex

# first ensure these two /etc/hosts entries are working
ping -c 1 git.example.com
ping -c 1 buildkitsandbox

# load in preauthorized key
eval \$(ssh-agent)
ssh-add /root/self-hosted-rsa-key
ssh-add -l

# limit known_hosts to ssh-rsa only
cp ~/.ssh/known_hosts /tmp/known_hosts.old
cat /tmp/known_hosts.old | grep ssh-rsa > ~/.ssh/known_hosts
cat ~/.ssh/known_hosts

earthly --config \$earthly_config --verbose -D +test
earthly --config \$earthly_config --verbose -D git.example.com/testuser/repo:main+hello
" >/tmp/test-earthly-script && chmod +x /tmp/test-earthly-script
    DO +RUN_EARTHLY_ARGS --pre_command=start-sshd --earthfile=git-clone-private-ssh.earth --exec_cmd=/tmp/test-earthly-script

test-server-both-with-only-ed25519-keyscan:
    FROM ./setup+server \
        --DOCKERHUB_AUTH=$DOCKERHUB_AUTH \
        --DOCKERHUB_USER_SECRET=$DOCKERHUB_USER_SECRET \
        --DOCKERHUB_TOKEN_SECRET=$DOCKERHUB_TOKEN_SECRET \
        --DOCKERHUB_MIRROR=$DOCKERHUB_MIRROR \
        --DOCKERHUB_MIRROR_INSECURE=$DOCKERHUB_MIRROR_INSECURE \
        --SSHD_RSA=true \
        --SSHD_ED25519=true \
        --USER_RSA=true \
        --USER_ED25519=false
    RUN --no-cache echo "#!/bin/sh
set -ex

# first ensure these two /etc/hosts entries are working
ping -c 1 git.example.com
ping -c 1 buildkitsandbox

# load in preauthorized key
eval \$(ssh-agent)
ssh-add /root/self-hosted-rsa-key
ssh-add -l

# limit known_hosts to ssh-ed25519 only
cp ~/.ssh/known_hosts /tmp/known_hosts.old
cat /tmp/known_hosts.old | grep ssh-ed25519 > ~/.ssh/known_hosts
cat ~/.ssh/known_hosts

earthly --config \$earthly_config --verbose -D +test
earthly --config \$earthly_config --verbose -D git.example.com/testuser/repo:main+hello
" >/tmp/test-earthly-script && chmod +x /tmp/test-earthly-script
    DO +RUN_EARTHLY_ARGS --pre_command=start-sshd --earthfile=git-clone-private-ssh.earth --exec_cmd=/tmp/test-earthly-script

test-configured-ssh-no-keyscan:
    FROM ./setup+server \
        --DOCKERHUB_AUTH=$DOCKERHUB_AUTH \
        --DOCKERHUB_USER_SECRET=$DOCKERHUB_USER_SECRET \
        --DOCKERHUB_TOKEN_SECRET=$DOCKERHUB_TOKEN_SECRET \
        --DOCKERHUB_MIRROR=$DOCKERHUB_MIRROR \
        --DOCKERHUB_MIRROR_INSECURE=$DOCKERHUB_MIRROR_INSECURE \
        --SSHD_RSA=true \
        --SSHD_ED25519=true \
        --USER_RSA=true \
        --USER_ED25519=false
    RUN --no-cache echo "#!/bin/sh
set -ex

# first ensure these two /etc/hosts entries are working
ping -c 1 git.example.com
ping -c 1 buildkitsandbox

# load in preauthorized key
eval \$(ssh-agent)
ssh-add /root/self-hosted-rsa-key
ssh-add -l

# Clear out known_hosts
> ~/.ssh/known_hosts

# Setup auth to be ssh; disallowing https-fallback.
earthly --config \$earthly_config config 'git.\"git.example.com\"' '{\"auth\": \"ssh\", \"user\": \"git\"}'

if earthly --config \$earthly_config --verbose -D +test > output.txt 2>&1; then
    cat output.txt
    echo \"expected earthly failure, but got clean exit code instead\" && exit 1
fi

if earthly --config \$earthly_config --verbose -D git.example.com/testuser/repo:main+hello > output.txt 2>&1; then
    cat output.txt
    echo \"expected earthly failure, but got clean exit code instead\" && exit 1
fi

# Next configure earthly to allow unknown hosts (insecure!)
earthly --config \$earthly_config config 'git.\"git.example.com\"' '{\"auth\": \"ssh\", \"user\": \"git\", \"strict_host_key_checking\": false}'

# earthly should now be able to clone these even though no known_hosts entry exists
earthly --config \$earthly_config --verbose -D +test
earthly --config \$earthly_config --verbose -D git.example.com/testuser/repo:main+hello

" >/tmp/test-earthly-script && chmod +x /tmp/test-earthly-script
    DO +RUN_EARTHLY_ARGS --pre_command=start-sshd --earthfile=git-clone-private-ssh.earth --exec_cmd=/tmp/test-earthly-script

test-server-with-unhashed-keyscan:
    FROM ./setup+server \
        --DOCKERHUB_AUTH=$DOCKERHUB_AUTH \
        --DOCKERHUB_USER_SECRET=$DOCKERHUB_USER_SECRET \
        --DOCKERHUB_TOKEN_SECRET=$DOCKERHUB_TOKEN_SECRET \
        --DOCKERHUB_MIRROR=$DOCKERHUB_MIRROR \
        --DOCKERHUB_MIRROR_INSECURE=$DOCKERHUB_MIRROR_INSECURE \
        --SSHD_RSA=true \
        --SSHD_ED25519=true \
        --USER_RSA=true \
        --USER_ED25519=false
    RUN --no-cache echo "#!/bin/sh
set -ex

# first ensure these two /etc/hosts entries are working
ping -c 1 git.example.com
ping -c 1 buildkitsandbox

# load in preauthorized key
eval \$(ssh-agent)
ssh-add /root/self-hosted-rsa-key
ssh-add -l

# first check that known_hosts are hashed (hashed entries start with |1|)
cat ~/.ssh/known_hosts | awk '{print \$1}' | grep '|1|'

# convert hashed hostnames into unhashed hostnames
cp ~/.ssh/known_hosts /tmp/known_hosts.old
cat /tmp/known_hosts.old | awk '{printf \"git.example.com %s %s\\n\", \$2, \$3}' > ~/.ssh/known_hosts

earthly --config \$earthly_config --verbose -D +test
earthly --config \$earthly_config --verbose -D git.example.com/testuser/repo:main+hello

" >/tmp/test-earthly-script && chmod +x /tmp/test-earthly-script
    DO +RUN_EARTHLY_ARGS --pre_command=start-sshd --earthfile=git-clone-private-ssh.earth --exec_cmd=/tmp/test-earthly-script

test-with-custom-matcher:
    FROM ./setup+server \
        --DOCKERHUB_AUTH=$DOCKERHUB_AUTH \
        --DOCKERHUB_USER_SECRET=$DOCKERHUB_USER_SECRET \
        --DOCKERHUB_TOKEN_SECRET=$DOCKERHUB_TOKEN_SECRET \
        --DOCKERHUB_MIRROR=$DOCKERHUB_MIRROR \
        --DOCKERHUB_MIRROR_INSECURE=$DOCKERHUB_MIRROR_INSECURE \
        --SSHD_RSA=true \
        --SSHD_ED25519=true \
        --USER_RSA=true \
        --USER_ED25519=false
    RUN --no-cache echo "#!/bin/sh
set -ex

# first ensure these two /etc/hosts entries are working
ping -c 1 git.example.com
ping -c 1 buildkitsandbox

# load in preauthorized key
eval \$(ssh-agent)
ssh-add /root/self-hosted-rsa-key
ssh-add -l

# Clear out known_hosts
mv ~/.ssh/known_hosts /tmp/known_hosts.old

# Setup auth to be ssh; with custom pattern/sub that converts `funnyserver/repo` to `ssh://git@git.example.com:22/home/git/testuser/repo.git`
earthly --config \$earthly_config config 'git.\"git.example.com\"' '{\"auth\": \"ssh\", \"user\": \"git\", \"pattern\": \"funnyserver/([^/]+)\", \"substitute\": \"ssh://git@git.example.com:22/home/git/testuser/\$1.git\"}'
cat \$earthly_config

if earthly --config \$earthly_config --verbose -D +test > output.txt 2>&1; then
    cat output.txt
    echo \"expected earthly failure, but got clean exit code instead\" && exit 1
fi

if earthly --config \$earthly_config --verbose -D funnyserver/repo:main+hello > output.txt 2>&1; then
    cat output.txt
    echo \"expected earthly failure, but got clean exit code instead\" && exit 1
fi

# restore known_hosts
mv /tmp/known_hosts.old ~/.ssh/known_hosts

# earthly should now be able to clone these even though no known_hosts entry exists
earthly --config \$earthly_config --verbose -D +test 2>&1 | tee output.txt
cat output.txt | grep $(echo MTIzM2MwODQtNGNmNS00Nzk3LWE0YzUtZWI2NTM1NGVlN2Vl | base64 -d)

earthly --config \$earthly_config --verbose -D funnyserver/repo:main+hello 2>&1 | tee output.txt
cat output.txt | grep $(echo MTIzM2MwODQtNGNmNS00Nzk3LWE0YzUtZWI2NTM1NGVlN2Vl | base64 -d)


" >/tmp/test-earthly-script && chmod +x /tmp/test-earthly-script
    DO +RUN_EARTHLY_ARGS --pre_command=start-sshd --earthfile=from-funnyserver.earth --exec_cmd=/tmp/test-earthly-script

test-git-clone-command-with-custom-matcher:
    FROM ./setup+server \
        --DOCKERHUB_AUTH=$DOCKERHUB_AUTH \
        --DOCKERHUB_USER_SECRET=$DOCKERHUB_USER_SECRET \
        --DOCKERHUB_TOKEN_SECRET=$DOCKERHUB_TOKEN_SECRET \
        --DOCKERHUB_MIRROR=$DOCKERHUB_MIRROR \
        --DOCKERHUB_MIRROR_INSECURE=$DOCKERHUB_MIRROR_INSECURE \
        --SSHD_RSA=true \
        --SSHD_ED25519=true \
        --USER_RSA=true \
        --USER_ED25519=false
    RUN --no-cache echo "#!/bin/sh
set -ex

# first ensure these two /etc/hosts entries are working
ping -c 1 git.example.com
ping -c 1 buildkitsandbox

# load in preauthorized key
eval \$(ssh-agent)
ssh-add /root/self-hosted-rsa-key
ssh-add -l

# Setup auth to be ssh; with custom pattern/sub that converts `funnyserver/repo` to `ssh://git@git.example.com:22/home/git/testuser/repo.git`
#earthly --config \$earthly_config config 'git.\"git.example.com\"' '{\"auth\": \"ssh\", \"user\": \"git\", \"pattern\": \"funnyserver/([^/]+)\", \"substitute\": \"ssh://git@git.example.com:22/home/git/testuser/\$1.git\"}'
#cat \$earthly_config

# call target which performs a git-clone
(set +e; earthly --config \$earthly_config --verbose -D +test 2>&1; echo \"\$?\" > status) | tee output.txt
test \"\$(cat status)\" = \"0\"
grep fb5de6fc4b750a88841cd91b55bdec6d output.txt
" >/tmp/test-earthly-script && chmod +x /tmp/test-earthly-script
    DO +RUN_EARTHLY_ARGS --pre_command=start-sshd --earthfile=git-clone-funnyserver.earth --exec_cmd=/tmp/test-earthly-script


all:
    BUILD +test-rsa-only
    BUILD +test-ed25519-only
    BUILD +test-server-both-user-rsa-only
    BUILD +test-server-both-with-missing-keyscan
    BUILD +test-server-both-with-only-rsa-keyscan
    BUILD +test-server-both-with-only-ed25519-keyscan
    BUILD +test-configured-ssh-no-keyscan
    BUILD +test-server-with-unhashed-keyscan
    BUILD +test-with-custom-matcher
    BUILD +test-git-clone-command-with-custom-matcher

RUN_EARTHLY_ARGS:
    COMMAND
    ARG earthfile
    ARG pre_command
    ARG exec_cmd
    DO ..+RUN_EARTHLY \
        --earthfile=$earthfile \
        --pre_command=$pre_command \
        --exec_cmd=$exec_cmd \
        --DOCKERHUB_AUTH=$DOCKERHUB_AUTH \
        --DOCKERHUB_USER_SECRET=$DOCKERHUB_USER_SECRET \
        --DOCKERHUB_TOKEN_SECRET=$DOCKERHUB_TOKEN_SECRET \
        --DOCKERHUB_MIRROR=$DOCKERHUB_MIRROR \
        --DOCKERHUB_MIRROR_INSECURE=$DOCKERHUB_MIRROR_INSECURE
